Professional Documents
Culture Documents
Web Programming
Lecture 8:
Introduction to Sessions
Sessions
• Session:
Set of pages submitted by user to accomplish goal
– Example: Most on-line shopping
Enter Enter
Add to cart shipping payment Reciept
information information
Need for Session Handling
• Problem:
No easy way to associate steps if multiple clients
– Nothing built into the web allows server to know where a request is
coming from.
– Server may have to simultaneously manage thousands of sessions.
4
Session Handling
• Sessions can be accessed from both servlet and JSP
– Servlet: Construct a new session object from the request
HttpSession session = request.getSession();
– JSP: Just use built-in session object which Tomcat creates
from request (like request object)
request : Server
Servlet
form data + session ID
session ID data
Construct
created for associated
session object
client with this
client
JSP
Use session
object
5
Creating a New Session
• Done automatically first time session requested by servlet or JSP
– HttpSession session = request.getSession();
in servlet
– Use of session object in JSP
• Tomcat:
– Knows this because no session ID included in request
– Generates new ID not used for current session (or recent past session)
– Creates new session table entry for that ID
Client computer
Server
Browser Servlet
Response or JSP
Store session ID
web page + Create
session ID response
Cookies
session ID +
server name
Passing Session IDs
• Automatically included in request sent in future to same
server
– All cookie values associated with server sent with request
– Server now knows who client is!
Client computer
Server
Browser Servlet
Request = or JSP
Retrieve session ID
parameters + Handle
session ID request
Cookies
session ID +
server name
Associating Session Data
• Servlets/JSPs can store data associated with session ID
• Servlets/JSPs can look up that data in future when
passed the session ID in request
Server
session ID Client data
Servlet or
Session session ID Client data
JSP ID for
Request lookup
session ID Client data
Needs
including session ID Client data
session
session ID session ID Client data
data
Client data
associated with
session
Storing Session Data
• Syntax:
session.setAttribute(“name”, object);
– Like parameters, session data stored as name/value pairs
– Like attributes, can store any Java object
• Often a “shopping cart” object
… …
Storing Session Data
Retrieving Session Data
• Syntax:
type variable =
(type)session.getAttribute(“name”);
• Will be null if
– No session created for this client
– That value not stored for this client
Retrieving Session Data
Session Example
StoreInfo servlet
creates session and
“Mai Anh Tho”, stores the information
tho@hcmuaf.edu.vn in new session
passed to server
email “tho@hcmuaf.edu.vn”
Session Example
Cookies
StoreInfo servlet
ID= fieh4K39Rdk adds session ID to
server=www.widgets.com
response
Session ID
getQuantity JSP
Response =
sends session ID to
page + client as part of page
Session ID
Session Example
Cookies
ID= fieh4K39Rdk
server=www.widgets.com
Sending request to
www.widgets.com, so
retrieve its cookies
Server at
quantity=27& www.widgets.com
ID= fieh4K39Rdk
submitted in request
Session Example
Reciept JSP
retrieves information
quantity=27&
ID= fieh4K39Rdk associated with the
session ID and inserts
submitted in request into the response page
email “tho@hcmuaf.edu.vn”
URL Encoding
• Many users disable cookies!
– Often default in some browsers
– Need alternative way of storing session information on server
Solution:
• Pass session ID to the client as part of every response
• Insure that client sends that session ID back to the
server as part of every request
• Since you have no way of knowing whether user has
cookies, you must do this!
URL Encoding
• Syntax:
<form action=
“<%= response.encodeURL(“url”) %>”
method=…> Page being
requested
Goal:
Prevent users from directly going to other
pages without first going to initial page
Sessions for Access Control
Solution:
• Set session attribute at servlet called from first page
– Use this in other pages to determine whether initial page
requested in this session
Sessions for Access Control
• All other JSPs test whether attribute is null
• If so, redirect to another page
– Initial page in sequence
– Error page telling session has expired
• Syntax for redirection from JSP:
<jsp:forward page=”url to forward to”/>
Sessions for Access Control
Redirected here